• New Android malware named MobiHok RAT that seems to share code with the SpyNote RAT has emerged.
  • Researchers from SenseCy, a threat intelligence firm, have observed a threat actor who goes by ‘mobeebom’ offering MobiHok v4 on various forums.

The big picture

It was observerd that MobiHok v4 was promoted by a threat actor, mobeebom, on multiple forums including a popular English-speaking one.

  • Most of the forums used for promotions were Arab-based which indicates the possibility that mobeebom speaks Arabic.
  • The RAT is also being promoted on Facebook and YouTube since early 2019.
  • MobiHok, also known as MobeRat, is written in Visual Basic .NET and Android Studio.
  • Researchers who analyzed this RAT’s code believe that certain modifications were made to SpyNote RAT’s code to develop this malware.

SenseCy researchers in their report say that the threat actor’s declared intention is to make MobiHok the top Android RAT.

Capabilities of MobiHok

According to mobeebom’s website, there are various options for purchasing MobiHok. This includes purchasing the entire source code for $15,000. The website states that the malware’s capabilities include:

  • Keylogging
  • Terminal
  • Control of files
  • Control of camera
  • Control of SMS
  • Control of apps
  • Control of contacts
  • Control of phone settings
  • Bypass of Google Play security mechanism
  • Bypass of Samsung security mechanism


“To conclude, despite mobeebom’s attempt to market his MobiHok v4 Android RAT as new and his declared intention to make it the top Android RAT on the market, it appears that this malware is based on the leaked source code of the known SpyNote Android RAT with only minor changes and is being reselled by the threat actor under a different name,” say SenseCy researchers.

Cyware Publisher